This is an old revision of the document!
synapse
This tutorial is for users of Debian GNU/Linux who want to create their own Synapse instance. The official documentation was pretty solid, but/and I also used some online tutorials, especially the one at Hack Liberty. Although I give credit to these sites, I must say that they both had tons of small to medium mistakes which, combined with the complexity of the project, made this a fairly challenging instance to create. I am quite glad the VM is built, backed up and tarballed. Okay, so first, install synapse and add the gpg keys for their repo, etc.:
sudo apt install -y lsb-release wget apt-transport-https sudo wget -O /usr/share/keyrings/matrix-org-archive-keyring.gpg https://packages.matrix.org/debian/matrix-org-archive-keyring.gpg echo "deb [signed-by=/usr/share/keyrings/matrix-org-archive-keyring.gpg] https://packages.matrix.org/debian/ $(lsb_release -cs) main" | sudo tee /etc/apt/sources.list.d/matrix-org.list sudo apt update sudo apt install matrix-synapse-py3
You now need to install postgresql and create a database with a dedicated non-root user:
sudo apt install postgresql sudo -u postgres bash createuser --pwprompt synapse_user createdb --encoding=UTF8 --locale=C --template=template0 --owner=synapse_user synapse exit
After creating the database, inform synapse of how to reach it in the pg_hba.conf
file as follows:
nano /etc/postgresql/13/main/pg_hba.conf <host synapse synapse_user ::1/128 md5> sudo systemctl reload postgresql
It's now time to edit the file /etc/matrix-synapse/homeserver.yaml
. Remove the default database configuration, and replace it with the credentials you just made:
<database:> <name: psycopg2> <txn_limit: 10000> <args:> <user: synapse_user> <password: secretpassword> <database: synapse> <host: localhost> <port: 5432> <cp_min: 5> <cp_max: 10>
There are now some options that you can configure based on personal preference. Hack Liberty has its own recommendations, and I agreed with some and not with others. Moreover, I also found that Matrix/Synapse is currently requiring a stricter recipe for the yaml config than their template or even the official docs recommend. I was unable to get to the homeserver.yaml
to work without adding a base_url
line and a Google V2 challenge. Make sure to refer to Synapse's official docs for your use case and so that you understand what they each do. Here are the “optional” configurations that I have active, some of which I had to configure to make everything work:
<public_baseurl: "https://gnulinux.club"> <require_auth_for_profile_requests: true> <limit_profile_requests_to_users_who_share_rooms: true> <include_profile_data_on_invite: false> <allow_public_rooms_over_federation: true> <allow_profile_lookup_over_federation: true> <allow_device_name_lookup_over_federation: true> <enable_registration: True> <enable_registration_captcha: True> <recaptcha_public_key: "enter pub key here"> <recaptcha_private_key: "enter priv key here"> <registration_shared_secret: "yourmomismykey">
In my case, matrix was not currently allowing un-challenged, or un-tokened user registration, so adding the Google Challenge was required in order to make it functional (keep verify origin off). I also had to the base_url
explicitly and the enable_registration
explicitly. From researching forums and reddits online, I was able to ascertain that this is because Matrix changes their criteria/allowances depending on exploits, current threats, etc., actively, meaning that what might be allowed on day x is no longer supported on day y, etc. Now that synapse is more or less configured, it's time to install your web server of choice. I prefer apache2 since I have a long history of making reverse proxy configs for it, and even got some changes committed(see June 8, 2022) to the recipes project on gitlab (yay!). Note: Since ACME's cert-only
command always fails for me, whenever I do apache reverse proxies, I first set up a slim website with stock virtualhost, A records on my DNS host, pull in certs on it, then disable it, as follows:
sudo apt install apache2 sudo certbot --authenticator standalone --installer apache -d gnulinux.club --pre-hook "systemctl stop apache2" --post-hook "systemctl start apache2" a2dissite 000-default.conf
Refer to apache survival if you need help on setting up virtual hosts, etc. and/or apache/LAMP stacks. Once you built the certs and disabled the dummy website, then create two reverse proxy virtual hosts like these:
[[https://repo.haacksnetworking.org/oemb1905/haackingclub/-/blob/master/apache/virtualhosts/synapse.conf|virtualhost-80.conf]] [[https://repo.haacksnetworking.org/oemb1905/haackingclub/-/blob/master/apache/virtualhosts/synapse-ssl.conf|virtualhost-443.conf]]
Once the reverse proxies are setup, restart the service with systemctl restart apache2.service
. It's now time to set up a turn server so clients behind NAT can function properly. To do that, do as follows:
sudo apt install coturn mkdir -p /etc/coturn/certs sudo chown -R turnserver:turnserver /etc/coturn/ chmod -R 700 /etc/coturn/ pwgen -s 64 1 <it dumps a key> sudo nano /etc/turnserver.conf <use-auth-secret> <static-auth-secret=YOUR-STATIC-AUTH-SECRET-HERE> <realm=yoursite.com:5349> <no-tcp-relay> <denied-peer-ip=10.0.0.0-10.255.255.255> <denied-peer-ip=192.168.0.0-192.168.255.255> <denied-peer-ip=172.16.0.0-172.31.255.255> <allowed-peer-ip=10.0.0.1> <user-quota=12> <total-quota=1200> <cert=/etc/coturn/certs/fullchain.pem> <pkey=/etc/coturn/certs/privkey.pem> sudo systemctl restart coturn
— oemb1905 2022/11/19 23:33